clojure-europe 2021-03-30

Morning!

👋

@orestis we switched from “native” mongo ObjectIds to randomly generated ObjectIds because you can “guess” the possible values of the next couple of ObjectIds, which makes for an attack surface.

slipset06:03:52

(defn gen-id! []
  (format "%024x" (BigInteger. 96 (SecureRandom.))))

slipset06:03:03

Oh, and if you’re a saas thingy, do consider using https://www.hackerone.com. It’s like an ongoing pen-test

orestis08:03:27

Is this a company that does pen tests? Or something more like https://www.zaproxy.org/

slipset10:03:21

You could look at hackerone as a pentest platform.

slipset10:03:51

They help set up bounty programs, and have a bunch of hackers which try to hack orgs (like ardoq)

slipset10:03:02

When the hackers find security holes, we pay them.

slipset10:03:55

The hackers are incentivised to learn the app, and they find so much more than your yearly pentest does.

slipset10:03:22

And your org is incentivised to keep the app secure, as it pays for every security bug found.

orestis11:03:32

Oh that’s nice. We had a pentest which found some things but missed some glaring ones. Cost an arm and a leg and was very stressful since it was time bound.

orestis11:03:40

Is there a pricing guidance on what to expect? I would hope the costs are bounded and there’s NDAs... a bunch of random “hackers” trying to get in sounds scary if they’re not bound by some contract.

otfrom07:03:37

Morning

otfrom07:03:54

Is it wrong that I make hackerone rhyme with macaroni

😄 6

otfrom07:03:42

And a very good day to @borkdude especially

borkdude07:03:02

good day!

ordnungswidrig07:03:12

Good morning!

slipset07:03:07